mathjs, Improperly Controlled Modification of Dynamically-Determined Object Attributes, GHSA-jvff-x2qm-6286 (High)

Listen to this Post

The vulnerability resides in the expression parser of the mathjs library, specifically in how it handles dynamically‑determined object attributes. When a user‑supplied expression is evaluated, the parser fails to properly sanitize or restrict the modification of these dynamic attributes. An attacker can craft an expression that manipulates object properties in a way that escapes the intended sandbox. By leveraging JavaScript’s prototype chain or by overwriting internal methods, the malicious expression can break out of the parser’s context and execute arbitrary JavaScript code. For example, an expression might attempt to modify the `constructor` or `__proto__` of a parsed object, leading to prototype pollution. Once prototype pollution is achieved, the attacker can inject arbitrary properties into the global object, which can then be used to execute arbitrary functions or access sensitive data. This chain of events allows the attacker to run any JavaScript code on the host system, effectively bypassing all security boundaries. The issue is particularly dangerous because the mathjs parser is often used in applications that allow users to input mathematical expressions (e.g., calculators, data‑analysis tools). Without proper input validation, an attacker can submit a malicious expression that triggers the vulnerability. The root cause is the lack of controls when the parser modifies object attributes based on user input, combined with insufficient sandboxing of the evaluation environment. The vulnerability is fixed in mathjs v15.2.0 by introducing stricter attribute validation and a more robust sandbox.

DailyCVE Form

Platform: npm/mathjs
Version: <15.2.0
Vulnerability: Arbitrary JavaScript
Severity: High (8.8)
date: 2026-04-10

Prediction: 2026-04-10 (already)

What Undercode Say:

Analytics:

Check if your application uses a vulnerable version
npm list mathjs | grep -E "mathjs@([0-9]+.[0-9]+.[0-9]+)" | while read line; do
version=$(echo $line | sed -E 's/.mathjs@([0-9]+.[0-9]+.[0-9]+)./\1/')
if [[ "$version" < "15.2.0" ]]; then
echo "Vulnerable version detected: $version"
else
echo "Safe version: $version"
fi
done

Exploit:

A simple proof‑of‑concept expression that attempts to pollute the prototype:

const math = require('mathjs');
// Malicious user input
const maliciousExpr = "({}).<strong>proto</strong>.polluted = 'yes'";
math.evaluate(maliciousExpr);
console.log(({}).polluted); // 'yes' → prototype pollution successful

Protection from this CVE:

Upgrade to mathjs v15.2.0 or later. There is no workaround other than upgrading.

Impact:

Arbitrary JavaScript execution, leading to full compromise of the application, data theft, or remote code execution.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top